Deep Panda - three years of attacks to defend China's oil interests

Crowdstrike, a security research firm co-founded in 2011 by Dmitri Alperovitch, the former vice president of McAfee's threat research operation, has drilled down into longstanding industry allegations that China is at the heart of state-sponsored attacks against the west.

Rather than following Mandiant's analysis of these type of attacks in February of last year, Alperovitch's team has concluded the latest Chinese subversions are being launched against US national security think tanks in a bid to better understand US policy on Iraq. If true, this could be the first true politically motivated state-sponsored attack.

It's not all about politics, as Crowdstrike says that China may - like the US - also be interested in protecting its oil interests in the Middle East.

"It wouldn't be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper US military involvement that could help protect the Chinese oil infrastructure in Iraq,” said Alperovitch in his analysis of what he calls the Deep Panda attack project.

The Crowdstrike CTO also claims that Chinese Deep Panda attacks have been targeting public and private sector organisations in the financial, legal and telecoms sectors for some time.

Using the firm's Falcon Host endpoint security technology to analyse the attacks, Alperovitch says, "Iraq happens to be the fifth-largest source of crude oil imports for China and the country is the largest foreign investor in Iraq's oil sector."

"Thus, it wouldn't be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper US military involvement that could help protect the Chinese oil infrastructure in Iraq. In fact, the shift in targeting of Iraq policy individuals occurred on June 18, the day that ISIS began its attack on the Baiji oil refinery," he explained.

Delving into Crowdstrike's analysis of Deep Panda reveals that the attack vectors being used are highly sophisticated, leading the company to conclude the attack project represents a very serious threat not just to think tanks, but also multinational financial institutions, law firms, defence contractors, and government agencies.

Commenting on the latest Chinese state attack revelations, Will Semple, VP of research and intelligence with Alert Logic, said that there is no doubt that advanced hacking is being used as a technique in traditional corporate and state-sponsored espionage.

"The aim remains the same, to obtain insider information or intellectual property that will give a corporation or nation an economic advantage. When we factor in attributes that are directly outside of the influence of a nation, such as reliance on imported energy supply then you start to put the picture together as to the motivation for some of these persistent and mature programmes of intrusion against private organisations and those that influence international policy," he explained.

The biggest problem, says Semple, is awareness, as a lot of organisations don't think they are a target for these types of state-sponsored groups.

"In reality, a lot of supply chain organisations or web sites that are popular with particular employees are targets simply as they provide avenues of compromise, a stepping stone to the final target. The Target breach was a good example of this, an air conditioning supply company was breached which allowed the attacker to ingress into Target from the weaker supplier," he said.

Keith Bird, UK managing director with Check Point, said there are lessons for IT security professionals in this report, as, whilst in this instance it is a state-sponsored attack, it would be remiss of organisations not to take note as it demonstrates the sophistication of malware that is available to cyber-criminals globally.

"It highlights how even the most security-conscious organisation can be at serious risk of attack from bots or other stealthy malware," he noted.

Tim Keanini, CTO with Lancope, took a similar view. “When you step back and look at this situation, most of these organisations consider security as a part time job at best, yet these attackers make it their full time job and are well resourced plus talented,” he noted.

"Given this match-up, if they want to compromise you, they likely will – so your job is to make it harder for them to operate undetected. This is where the defender has the advantage but seldom is it leveraged, which is why these attackers remain hidden and effective for years," he said.

"The other thing to note is that these adversaries really hate being evicted. They already have more access vectors ready at hand for their return so once detected and remediated, defenders must be extra vigilant as the adversary will evolve and try again," he added.

Keanini went on to say that, when you look at the Chinese strategy used in these attacks, it is the same as any other connected enterprise.

"The adversary will target anywhere the business touches, not just come at you directly. This is why defenders must consider and secure all aspects of their business, from the supply chains and partners all the way down through their consumers. The adversary will come at you from all angles," he said.

SC Media UK arms cyber-security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.